09

Nonprofit Internal Controls: Post Numero Uno

Whew. Now that things have slowed down a bit I want to post about something many (if not all) the last few presentation organizer’s have asked me to talk about; internal controls. Specifically, internal controls for organizations with staff smaller than 10 people and budgets less than 100K.

What Are They and Why Do They Matter?

Internal controls are processes and procedures that assist an organization in assuring there’s accuracy, consistency and honesty in and with whatever the controls govern. Lock your checks up? That’s an internal control. Require all computers have passwords? That would be another. And if tweaked just right each control can serve as a check or balance to another control (ex. Requiring deposits be recorded is good, but requiring a different person compare the deposit slip to what was initially recorded is a great check.)

Increasingly on the minds of donors and grant-makers, these must be a concern for donee’s as well. A system that consists solely of a two signature requirement on checks and approval on every other purchase just doesn’t cut the mustard anymore. Which means more comprehensive (or at least utilized) internal controls are not only becoming a competitive edge but the failure to have them is becoming a disadvantage.

Also, you can’t talk about risk management without talking about internal controls (hint: you should be talking about risk management). But managing risk is so much more than ensuring people don’t fall or take the new iPad. It’s putting measures in place to protect ALL assets. Be they people, property or money. And not to be jaded but lest we forget the other important aspect of risk management: perception. People on the outside must perceive that an organization is is functional, sustainable, and efficient/ judicious in its use of resources.

The government, foundations, corporations, individual donors…..they’re all watching. Each wanting to ensure that their dollars actually go toward the cause or the machine behind the cause (you being the machine). This can’t happen if money is being siphoned off or misreported.

Things to Think About Before Lifting a Finger

Now I’ve talked to quite a few people about this. I get that times are hard with harder ones ahead. I get when its just you, your cousin and the brother finding himself it can seem hard enough to run an organization without spending time, focus, and resources on anything else but the mission. But its been proven study by study that the smaller you are, the more at risk you are for theft, embezzlement and fraud; why put the organization through unnecessary (and foreseeable) risk? Moreover, there are more and more grant applications, watchdog groups and donors asking about internal controls; why create a disadvantage?

Taking the time to deliberate and implement internal controls can never be in vain. Honestly, the biggest culprit for difficult, failed, or ineffective internal controls seems to be burnout; not that internal controls weren’t needed. Everyone got really excited during the Prezi presentation but after months of navigating new rules or policies people can become restless, impatient or forget what the purpose was to begin with.

But there are a few ways to protect against this and before you open up Word to type the first policy these are things to think about.

For example, rather trying to implement internal controls in several different places at once have the staff and board sit down and brainstorm what their goals are. It’s important to start with the goal and work backwards because if you start with “what can we do” or “what do we think is the easiest” there are already limits before you’ve started. Is the goal for us to submit accurate and timely tax reports? Or are we trying to avoid/mitigate something in particular (such as the unauthorized removal of cash)? If the organization doesn’t take in much cash then don’t spend a ton of time trying to implement controls that deal with cash management.

Also think about the biggest exposures based on what the organization does. What are its transactions types, how big is each, etc. And of its biggest exposures, which ones have the biggest impact on the organization? Where would you make the biggest impact by tackling first?

Lastly, I’d make it clear that any internal controls you implement will be a team effort. Just because something smells financial doesn’t mean it will be left totally up to the finance person or people to handle. So if I’ve decided I’m going to tackle cash management, what aspects of this can be delegated to a board member or volunteer (provided their trained)? This way, no one feels like they’re being stuck with more work or responsibility than anyone else; everyone gets to suffer work together as a team.

Next Up……

Well that seems like enough for the first installment. The next post will get more into the meat and potatoes of internal controls with suggestions on things to implement and other traps or pitfalls to be weary of.